Web Developer Interview Questions

Earlier this week, I had to interview a bunch of applicants for a web developer role. The idea is to filter out those who aren’t really experienced as the job asks for people with at least 6 months of experience.

Anyway, below is the test I gave them. I don’t feel like giving something like it again in the future (it’s pretty crappy IMHO) so I think it would be a good idea to share it instead of just throwing it away.

Determine whether the statements below are true or false. Be prepared to explain your answer.

A primary key can be composed of multiple columns.

When you have two tables in a parent-child relationship (i.e. one table has a foreign key referring to the other table) deleting a parent record will delete all child records of that record.

Escaping special characters is the best way to avoid SQL injection.

You can undo UPDATE and DELETE changes to the database.

The VARCHAR data type can be used to save space when used over CHAR.

When using an RDBMS, normalization must be done for all tables.

Indexes speed up database actions.

Foreign keys are usually indexed.

Many-to-many relationships are implemented via junction/join tables.

Some HTML elements have been deprecated in favor of CSS.

The <strong> element can be used interchangeably with the <b> element.

Under strict XHTML rules, <br> is not a valid usage of the line break element.

The href attribute of the anchor element only accepts relative and absolute links.

The image tag is a block element.

When a form is submitted, the submitted data is derived from only the input elements inside the form.

Multiple elements can have the same id attribute.

Web servers serve content at port 443.

A web server can identify if a client has visited the website before.

POST is idempotent.

A browser redirect can be initiated by a response with an empty body.

In JavaScript, the var keyword is optional when declaring variables so it can be omitted in all cases.

You must specify a function name when declaring JavaScript functions.

Ajax will prevent you from performing other actions until the Ajax action is completed.

You are limited to using XML in Ajax.

You cannot change the values of a class variable.

Constructors are instance methods.

Polymorphism refers to the ability to define functions to have different behaviors depending on the passed arguments.

High cohesion and loose coupling can improve coding speed.

You can combine the features of two classes via inheritance.

Encapsulation is primarily used for security reasons.

Answers below the cut.

—

Any decent web developer would see why I’m not too comfortable with this test: most of the items are trick questions. The fun part here is that I did that not because I want to boost my ego like many complicated/puzzle questions (secretly) do for the interviewers, but because I specifically wanted to test the applicants’ levels using the Dreyfus model.

I don’t need Novices, I needed Advanced Beginners to Competent applicants, thus the “Be prepared to explain your answer“. These questions were designed to be too hard for novices while being too easy for competent developers.

With little luck, Novices can ace this exam. But ask them “Why?” and they’re sure to falter. Ask an Advanced Beginner the same question and they might answer “I tried using it the other way before, it didn’t work”. Ask a Competent developer and you’ll get “Actually the answer can go either way, if you have this or that constraint”. (Ask an Expert and you’ll get something like this.)

Anyway, here are the answers. Scoring is simple: answer like a Competent developer and I’ll give you a pass, answer like a Novice and I’ll fail you.

A primary key can be composed of multiple columns.

TRUE

As many people consider the definition of a Primary Key as a “single column that uniquely identifies rows”, even advanced beginners might consider this false as it violates that “single column” definition.

When you have two tables in a parent-child relationship (i.e. one table has a foreign key referring to the other table) deleting a parent record will delete all child records of that record.

DEPENDS

When you define a foreign key, you can choose to define the referential action to be done upon deletion of the parent record. You can delete the child records, set the foreign key to NULL, or even do no action at all.

Escaping special characters is the best way to avoid SQL injection.

FALSE

While I’m happy to report that most of the applicants knew about SQL injection, none of them were able to answer this correctly. The best solution is to use a parameterized interface as suggested by OWASP:

The preferred option is to use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. Beware of APIs, such as stored procedures, that appear parameterized, but may still allow injection under the hood.

Escaping special characters is obviously #2.

You can undo UPDATE and DELETE changes to the database.

DEPENDS

You can rollback those actions while inside a Transaction, but in most cases, no, you can’t undo them. Hope you made backups.

The VARCHAR data type can be used to save space when used over CHAR.

TRUE

Another surprising discovery: not a lot of people are familiar with SQL data types. I assume that they don’t care whether they’re using VARCHAR or CHAR when storing strings.

At any rate, this should be true due to VARCHAR’s variable-width nature as opposed to CHAR’s fixed-width, though not for all cases.

But when it comes down to usage, one provides semantics (i.e. meaning) while the other tells the browser how the enclosed text looks like. It would not be unusual for a designer to set the <strong> tag to make the text italicized, in bold face, and a few pixels larger than normal text.

Under strict XHTML rules, <br> is not a valid usage of the line break element.

DEPENDS

XHTML requires empty elements to either have an end tag or the start tag must end with />.

<br> is still valid as long as it is immediately closed by </br>. However, it may give uncertain results in user agents.

The href attribute of the anchor element only accepts relative and absolute links.

Okay so this is a trick question. I didn’t specify if the “link” is a general URI (which would allow mailto: and javascript:) or just HTTP URI. I just wanted to know if the applicant knows enough about the anchor tag and links and I think this question did its job well.

The img tag is inline (sorry, couldn’t find a good reference. Gecko and Webkit treat it as inline, though), but most designers set its display option to block.

When a form is submitted, the submitted data is derived from only the input elements inside the form.

FALSE

Yet another trick question. I’m checking if the applicant whether he/she has tried putting input elements outside the form since it’s a sign of being an Advanced Beginner.

Anyway, this is false simply because the textarea and select elements will also determine the data submitted by the form.

Multiple elements can have the same id attribute.

DEPENDS

You can define multiple elements with the same id attribute, but it won’t validate in most HTML validators. It will also screw up your DOM document.getElementById() calls.

If you find yourself using the same id on multiple elements for styling reasons, it’s a sign to use class selectors instead.

Web servers serve content at port 443.

DEPENDS

Many web applications will serve content at port 443 for login and other secure transactions because it’s the default HTTPS port. However in most cases, websites use the default HTTP port: port 80.

I am honestly surprised how many web developers aren’t familiar with the concept of port numbers.

A web server can identify if a client has visited the website before.

DEPENDS

Yet another trick question to bait the higher skilled applicants.

A Competent developer would be quick to point out that HTTP is a stateless protocol. That is, servers are supposed to forget about previous HTTP transactions.

But as we all know, web servers can determine if a client has visited before, whether the server level (server logs) or at the application level (cookies, session).

POST is idempotent.

FALSE

This is the second most difficult question in the test as most developers aren’t fully aware of concepts like HTTP verbs and idempotency.

POST is not idempotent as it produces side effects. This is why sometimes when you refresh a non-responding page, the browser will prompt you whether to submit the data again to prevent you from submitting the data twice, something that might produce unwanted side effects (e.g. getting billed twice).

A browser redirect can be initiated by a response with an empty body.

TRUE

A Competent web developer should be aware of the Request-Response cycle in HTTP and should have implemented a browser redirect at least once in his/her career. Typically this would be done via HTTP status code 302 with an empty response body, as the target location is defined in the Location response header.

In JavaScript, the var keyword is optional when declaring variables so it can be omitted in all cases.

FALSE

All JavaScript variables not declared using var are considered global variables. And we don’t want a crapload of global variables running around the place, right?

You must specify a function name when declaring JavaScript functions.

FALSE

JavaScript is a functional language. It supports declaring functions without function names.

jQuery developers would be familiar with this fact due to the frequent use of closures in the said framework.

Ajax will prevent you from performing other actions until the Ajax action is completed.

FALSE

Ajax, as the original name implies (Asynchronous JavaScript and XML), is asynchronous. There are ways to make it behave synchronously, though.

You are limited to using XML in Ajax.

FALSE

Even though the name implies that you should use XML in Ajax, most current implementations don’t use XML due to its bloated nature. For example, Facebook uses JSON in their Graph API.

You cannot change the values of a class variable.

FALSE

Class variables are just like any variables, they can be modified unless declared as constant.

Of course, I still had to make the applicant explain what class variables and instance variables are to check their overall skill level.

Constructors are instance methods.

TRUE

Constructors act upon instances of the class, and as such, can be considered as instance methods.

What I’d love to see is for someone to argue that they are class methods. Knowing the difference between instance and class methods can turn an Advanced Beginner to a Competent developer in my book.

Polymorphism refers to the ability to define functions to have different behaviors depending on the passed arguments.

It’s another trick question, as most Novices would not know the difference between the two (or even know how to properly use polymorphism).

High cohesion and loose coupling can improve coding speed.

DEPENDS

Arguably the most difficult question in the test. Only Competent developers would take time to study enough material on OOP to be familiar with cohesion and coupling.

Anyway, the answer depends on the definition of “coding speed”. If it talks about coding from scratch, high cohesion and loose coupling would slow down coding as it requires the generation of more classes than would the opposite approach. If it talks about overall coding time, which includes addition of new features and maintenance, then yes, it will improve coding speed due to the isolation of changes preventing more bugs from creeping into the system.

You can combine the features of two classes via inheritance.

DEPENDS

Technically, inheritance can combine the features from a parent class with the features of the new subclass.

But if you have two different classes that you need to combine, say a Car class and a Person class, it would not be good to let the Person class inherit the Car class as it would violate the Liskov substitution principle. In those cases, it’s better to use aggregation instead of inheritance.

Encapsulation is primarily used for security reasons.

DEBATABLE

While it is true that hiding the internals of a class is one of the reasons why encapsulation is used (e.g. preventing other classes from messing with variables that might screw up the application), one could argue that, on a larger scale, encapsulation’s enforcement of contracts between objects is more important.

—

And there you have it, 30 questions with no definite answers. Don’t even bother using this as a reviewer when applying for a job in a local IT company; I’ll bet 99% of companies won’t even bother with this type of (hard-to-check) exam.

That’s why when running any adhoc CRUD queries in prod db, it’s always a practice to always enclose all queries in transaction (BEGIN) and only
execute the COMMIT after it yielded the expected result/s.

Escaping special characters is the best way to avoid SQL injection.

the best way to avoid sql injection is to never to allow applications to connect using admin account, never return sql server error messages to the user and as you’ve said to use a parameterized query.

When using an RDBMS, normalization must be done for all tables.

For OLTP normalized is prefered
while for OLAP it’s the other way around. But i must
admit sometmes a fully normalized table like > 3NF really takes
SQL skills to CRUD/Select.

Under strict XHTML rules, is not a valid usage of the line break element.

I just use

Web servers serve content at port 443.

Depends, if it’s an internet facing webserver
http 80 and https 443, but for internal/intranet use,
it can be on any valid unused port the user wishes.

High cohesion and loose coupling can improve coding speed.

Since I consider myself as a connected systems developer I’m always in favor of a building solutions in a loosely-coupled way. For me separation of concerns/n-tier approach is the way to go.

I would add:

1. How do you handle cross-cutting concerns like errorhandling, logging and security?
2. What’s the difference between SOAP and REST? and when to use it
3. What is deadlock? How would you avoid them?

the best way to avoid sql injection is to never to allow applications to connect using admin account, never return sql server error messages to the user and as you’ve said to use a parameterized query.

Neither of the first two are foolproof, unlike using paremterized APIs. A non-admin account will still have DELETE and SELECT rights, while not returning server error messages will still allow for the malicious action to be executed.

For OLTP normalized is prefered
while for OLAP it’s the other way around. But i must
admit sometmes a fully normalized table like > 3NF really takes
SQL skills to CRUD/Select

That’s pretty much the answer above, though I personally would flunk a guy who believes that going beyond 3NF should done to databases. It’s just not practical.

Since I consider myself as a connected systems developer I’m always in favor of a building solutions in a loosely-coupled way. For me separation of concerns/n-tier approach is the way to go.

When you need to build a quick script or throw-away tool, forcing things to strictly adhere to OOP concepts is pretty much the wrong way to go.

1. How do you handle cross-cutting concerns like errorhandling, logging and security?
2. What’s the difference between SOAP and REST? and when to use it
3. What is deadlock? How would you avoid them?

The only good question here is the deadlock question.

For the first question, the only answer I’d accept would be “Let the framework handle it.” Any other answer would tip me that the applicant is a complicator.

As for the second question, it’s about as bad as the idempotent and coupling question. I’ve met a lot of devs in my career and the only people who know about REST are the really hardcore web devs and the Rails guys. Even in my old CMMI level 5 company, I think only 1 or 2 guys there know about REST.

In my experience, 95% of applicants don’t even know either subtype polymorphism and function overloading. Given that, I would expect that anyone who would say “true” to that answer is most likely guessing.

But if the applicant really knows what real polymorphism is, for example, she could explain that Barbara Liskov’s oft misquoted

What is wanted here is something like the following substitution property: If for each object o1 of type S there is an object o2 of type T such that for all programs P defined in terms of T, the behavior of P is unchanged when o1 is substituted for o2 then S is a subtype of T.

may mention “subtypes” but doesn’t imply that inheritance is required (it can be done via encapsulation – ad-hoc polymorphism). In that case, I’d may have to stop the interview and march towards the HR and ask why the hell do I even have to interview a person that could interview me?